First published: Mon May 22 2023(Updated: )
### Impact This vulnerability allows attackers to execute arbitrary code when you use Validation Placeholders. The vulnerability exists in the Validation library, and validation methods in the controller and in-model validation are also vulnerable because they use the Validation library internally. ### Patches Upgrade to v4.3.5 or later. ### Workarounds Setting validation rules with an array. E.g.: ```php $validation->setRules([ 'email' => ['required', 'valid_email, 'is_unique[users.email,id,{id}]'], ]); ``` ### References - https://codeigniter4.github.io/userguide/libraries/validation.html#validation-placeholders - https://codeigniter4.github.io/userguide/incoming/controllers.html#validating-data - https://codeigniter4.github.io/userguide/models/model.html#in-model-validation ### For more information If you have any questions or comments about this advisory: * Open an issue in [codeigniter4/CodeIgniter4](https://github.com/codeigniter4/CodeIgniter4/issues) * Email us at [SECURITY.md](https://github.com/codeigniter4/CodeIgniter4/blob/develop/SECURITY.md)
Credit: security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Codeigniter Codeigniter | <4.3.5 | |
composer/codeigniter4/framework | <4.3.5 | 4.3.5 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
This vulnerability allows attackers to execute arbitrary code when using Validation Placeholders in CodeIgniter.
CodeIgniter versions up to and including 4.3.5 are affected.
Update CodeIgniter to version 4.3.6 or higher to fix this vulnerability.
You can find more information about this vulnerability on the GitHub security advisory page.
The CWE ID for this vulnerability is 94.